Bug 1014543 - (CVE-2016-9572) VUL-0: CVE-2016-9572 CVE-2016-9573: openjpeg: heap buffer overflow due to insufficient check in imagetopnm()
(CVE-2016-9572)
VUL-0: CVE-2016-9572 CVE-2016-9573: openjpeg: heap buffer overflow due to ins...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/177290/
CVSSv2:RedHat:CVE-2016-9572:4.3:(AV:N...
:
Depends on:
Blocks: 1015662
  Show dependency treegraph
 
Reported: 2016-12-08 12:27 UTC by Marcus Meissner
Modified: 2017-10-26 08:30 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
PoC2.j2k (74 bytes, application/octet-stream)
2016-12-08 12:35 UTC, Marcus Meissner
Details
PoC1.j2k (414 bytes, image/jp2)
2016-12-08 12:37 UTC, Marcus Meissner
Details
openjpeg2-CVE-2016-9572-CVE-2016-9573.patch (7.97 KB, patch)
2016-12-21 05:07 UTC, Hans Petter Jansson
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2016-12-08 12:27:00 UTC
via rh bugzilla import

CVE-2016-9572: A NULL pointer dereference flaw was found in the way openjpeg decoded certain input images. Due to a logic error in the code responsible for decoding the input image, an application using openjpeg to process image data could crash when processing a crafted image. 

Upstream bug:

https://github.com/uclouvain/openjpeg/issues/863


CVE-2016-9573: A heap buffer overflow flaw was found in the way openjpeg decompressed certain input images. Due to an insufficient check in the imagetopnm() function, an application using openjpeg to process image data could crash when processing a crafted image.

Upstream bug:

https://github.com/uclouvain/openjpeg/issues/862


Upstream patch:

https://github.com/szukw000/openjpeg/commit/7b28bd2b723df6be09fe7791eba33147c1c47d0d

Note that the above patch fixes two issues: CVE-2016-9573 as well as CVE-2016-9572.


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1402714
https://bugzilla.redhat.com/show_bug.cgi?id=1402711
Comment 1 Marcus Meissner 2016-12-08 12:35:46 UTC
Created attachment 705611 [details]
PoC2.j2k

QA REPRODUCER:

opj_decompress -i PoC2.j2k -o foo.ppm

[INFO] Start to read j2k main header (0).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
Speicherzugriffsfehler (Speicherabzug geschrieben)

should not cause a segmentation fault.
Comment 2 Marcus Meissner 2016-12-08 12:37:06 UTC
Created attachment 705613 [details]
PoC1.j2k

QA REPRODUCER:

opj_decompress -i PoC1.j2k -o foo.ppm

should not result in segmentation fault
Comment 3 Swamp Workflow Management 2016-12-08 23:01:46 UTC
bugbot adjusting priority
Comment 4 Hans Petter Jansson 2016-12-21 05:07:55 UTC
Created attachment 707360 [details]
openjpeg2-CVE-2016-9572-CVE-2016-9573.patch
Comment 6 Swamp Workflow Management 2016-12-27 14:08:38 UTC
SUSE-SU-2016:3270-1: An update that fixes 13 vulnerabilities is now available.

Category: security (important)
Bug References: 1002414,1007739,1007740,1007741,1007742,1007743,1007744,1007747,1014543,1014975,999817
CVE References: CVE-2016-7445,CVE-2016-8332,CVE-2016-9112,CVE-2016-9113,CVE-2016-9114,CVE-2016-9115,CVE-2016-9116,CVE-2016-9117,CVE-2016-9118,CVE-2016-9572,CVE-2016-9573,CVE-2016-9580,CVE-2016-9581
Sources used:
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    openjpeg2-2.1.0-3.1
SUSE Linux Enterprise Server 12-SP2 (src):    openjpeg2-2.1.0-3.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    openjpeg2-2.1.0-3.1
Comment 8 Bernhard Wiedemann 2017-01-11 19:01:14 UTC
This is an autogenerated message for OBS integration:
This bug (1014543) was mentioned in
https://build.opensuse.org/request/show/449727 13.2 / openjpeg2
https://build.opensuse.org/request/show/449730 42.1 / openjpeg2
Comment 9 Swamp Workflow Management 2017-01-16 18:22:42 UTC
openSUSE-SU-2017:0155-1: An update that fixes 13 vulnerabilities is now available.

Category: security (important)
Bug References: 1002414,1007739,1007740,1007741,1007742,1007743,1007744,1007747,1014543,1014975,999817
CVE References: CVE-2016-7445,CVE-2016-8332,CVE-2016-9112,CVE-2016-9113,CVE-2016-9114,CVE-2016-9115,CVE-2016-9116,CVE-2016-9117,CVE-2016-9118,CVE-2016-9572,CVE-2016-9573,CVE-2016-9580,CVE-2016-9581
Sources used:
openSUSE Leap 42.2 (src):    openjpeg2-2.1.0-11.1
Comment 10 Swamp Workflow Management 2017-01-17 18:49:13 UTC
openSUSE-SU-2017:0185-1: An update that fixes 13 vulnerabilities is now available.

Category: security (important)
Bug References: 1002414,1007739,1007740,1007741,1007742,1007743,1007744,1007747,1014543,1014975,999817
CVE References: CVE-2016-7445,CVE-2016-8332,CVE-2016-9112,CVE-2016-9113,CVE-2016-9114,CVE-2016-9115,CVE-2016-9116,CVE-2016-9117,CVE-2016-9118,CVE-2016-9572,CVE-2016-9573,CVE-2016-9580,CVE-2016-9581
Sources used:
openSUSE 13.2 (src):    openjpeg2-2.1.0-2.3.1
Comment 11 Swamp Workflow Management 2017-01-19 14:10:39 UTC
openSUSE-SU-2017:0207-1: An update that fixes 13 vulnerabilities is now available.

Category: security (important)
Bug References: 1002414,1007739,1007740,1007741,1007742,1007743,1007744,1007747,1014543,1014975,999817
CVE References: CVE-2016-7445,CVE-2016-8332,CVE-2016-9112,CVE-2016-9113,CVE-2016-9114,CVE-2016-9115,CVE-2016-9116,CVE-2016-9117,CVE-2016-9118,CVE-2016-9572,CVE-2016-9573,CVE-2016-9580,CVE-2016-9581
Sources used:
openSUSE Leap 42.1 (src):    openjpeg2-2.1.0-9.1
Comment 12 Swamp Workflow Management 2017-09-26 01:11:42 UTC
openSUSE-SU-2017:2567-1: An update that fixes 15 vulnerabilities is now available.

Category: security (important)
Bug References: 1002414,1007739,1007740,1007741,1007742,1007743,1007744,1007747,1014543,1014975,979907,997857,999817
CVE References: CVE-2015-8871,CVE-2016-7163,CVE-2016-7445,CVE-2016-8332,CVE-2016-9112,CVE-2016-9113,CVE-2016-9114,CVE-2016-9115,CVE-2016-9116,CVE-2016-9117,CVE-2016-9118,CVE-2016-9572,CVE-2016-9573,CVE-2016-9580,CVE-2016-9581
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    openjpeg2-2.1.0-5.1, openjpeg2-2.1.0-6.1
Comment 13 Marcus Meissner 2017-10-26 08:30:57 UTC
released